Hack exposed kids’ data, Swedish sports software firm fined €565K

Published: 27 January 2026
Last updated: 27 January 2026
Kids playing sports
Image by Cybernews.

SportAdmin, a Swedish software supplier to sports clubs, has been fined €565,000 for failing to provide an appropriate level of security to protect personal data.

In January 2025, hackers gained access to the software supplier’s IT systems via an SQL injection attack. This is a type of security vulnerability that allows attackers to interfere with database queries by inserting malicious SQL code into input fields.

The attacker came across information about more than 2.1 million people, most of them children. The exposed data included names, contact details, Social Security numbers, information about guardians and family relationships, sports club affiliations, and health information, such as allergies and disabilities.

ADVERTISEMENT

This sensitive and personal information was published on the dark web in March 2025.

IMY, Sweden’s data protection and privacy authority, investigated the incident and concluded that SportAdmin failed to implement appropriate security measures, in violation of Article 32 of the General Data Protection Regulation (GDPR).

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

The software supplier offered insufficient protection against SQL injection attacks, despite known long-term risks. Secondly, users had excessive system permissions, which increased the impact of the data breach.

In addition, the software supplier had implemented insufficient code review routines, especially in complex and legacy code. Furthermore, the company’s monitoring systems failed to detect the intrusion in real-time.

Microsoft web servers run vulnerable software

Lastly, the firm failed to regularly test and verify whether existing security measures were actually effective.

According to SportAdmin, services were shut down shortly after the intrusion was detected. After the incident, the company implemented stronger security safeguards, including a Web Application Firewall (WAF). The firm cooperated closely with IMY and informed all affected sports clubs and victims.

ADVERTISEMENT

Due to negligence in protecting sensitive and personal information and given the scale of the incident, Sweden’s data protection and privacy authority decided to issue an administrative fine of €565,000.

“IT attacks and data leaks can never be completely ruled out, but you are obliged to have a level of security adapted to the personal data you handle. SportAdmin has not had it, and there has been a passivity in managing known risks,” Eric Leijonram, Director at IMY, says in a statement.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Nadella scoffs at AI giants as Microsoft may host China’s DeepSeek
Cruel cyber training in Canada: testing if exhausted employees would fall for a 'day off' scam
Cloudflare gives AI agents temporary accounts to deploy websites without human logins
Developers giving attackers a free ride after hundreds of iPhone AI apps found exposing credentials
This tiny European country is pioneering digital ID for AI agents
Canadian lender TD tells some employees it will use software to monitor their work
ADVERTISEMENT